Skip to content

E
edx-platform
Commit ec684271 by Justin Riley
Options

lock down proctor server API completely 

Updated handle_ajax to explicitly handle each proctor server command
individually without accepting any parameters from the client. This
completely avoids users being able to interact with the proctor server
API directly. Updated the JS code to do a POST when requesting access
(TODO: proctor server still needs to be updated to require POST - for
now the proctor xmodule still uses GET under the hood until this
gets changed)
parent a5ebe8c5
Showing with 36 additions and 16 deletions
common/lib/xmodule/xmodule/proctor_module.py
import sys import sys
import json import json
import logging import logging
import urllib2
import urlparse import urlparse
import requests import requests
...@@ -47,7 +48,7 @@ class ProctorPanel(object): ...@@ -47,7 +48,7 @@ class ProctorPanel(object):
self.user = user self.user = user
self.ses = requests.session() self.ses = requests.session()
def request(self, url, data=None, json=True): def _make_request(self, url, data=None, json=True):
ret = self.ses.get(urlparse.urljoin(self.proc_url, url), ret = self.ses.get(urlparse.urljoin(self.proc_url, url),
verify=False, data=data, verify=False, data=data,
auth=(self.proc_user, self.proc_pass), auth=(self.proc_user, self.proc_pass),
...@@ -63,10 +64,21 @@ class ProctorPanel(object): ...@@ -63,10 +64,21 @@ class ProctorPanel(object):
data = ret.content data = ret.content
return data return data
def request(self, json=True):
url = 'cmd/request/{0}/{1}'.format(self.user.id,
urllib2.quote(self.procset_name))
data = dict(uname=self.user.username, name=self.user.profile.name)
return self._make_request(url, data=data, json=json)
def status(self, json=True):
url = 'cmd/status/{0}/{1}'.format(self.user.id,
urllib2.quote(self.procset_name))
return self._make_request(url, json=json)
def is_released(self): def is_released(self):
url = 'cmd/status/{0}'.format(self.user.id) url = 'cmd/status/{0}'.format(self.user.id)
log.info('ProctorPanel url={0}'.format(url)) log.info('ProctorPanel url={0}'.format(url))
retdat = self.request(url) retdat = self._make_request(url)
log.info('ProctorPanel retdat={0}'.format(retdat)) log.info('ProctorPanel retdat={0}'.format(retdat))
enabled = retdat.get('enabled', False) enabled = retdat.get('enabled', False)
return enabled return enabled
...@@ -202,14 +214,16 @@ class ProctorModule(ProctorFields, XModule): ...@@ -202,14 +214,16 @@ class ProctorModule(ProctorFields, XModule):
if dispatch == 'reset': if dispatch == 'reset':
username = data.get("username") username = data.get("username")
return self.reset(username) return self.reset(username)
if dispatch == 'status': #if dispatch == 'status':
return self.status() #return self.status()
# if dispatch == 'grades': # if dispatch == 'grades':
# return self.grades() # return self.grades()
# Proctor Panel requests (ALL USERS) # Proctor Panel requests (ALL USERS)
if dispatch.startswith('cmd/'): if dispatch == 'request':
return self.pp.request(dispatch, dict(data.items()), json=False) return self.pp.request(json=False)
if dispatch == 'status':
return self.pp.status(json=False)
if not self.is_released(): # check each time we do get_html() if not self.is_released(): # check each time we do get_html()
html = self.not_released_html() html = self.not_released_html()
......
lms/templates/proctor.html
...@@ -78,22 +78,27 @@ procrel = (function(){ ...@@ -78,22 +78,27 @@ procrel = (function(){
statel.html('<font color="green">' + status + '</font>'); statel.html('<font color="green">' + status + '</font>');
} }
var do_pp_get = function(cmd, gfun){ var _do_pp = function(cmd, type, gfun){
$.ajax({ url: "${ajax_url}/" + cmd, $.ajax({ url: "${ajax_url}/" + cmd,
type: 'GET', type: type,
data: { "uname": "${pp.user.username}",
"name": "${pp.user.profile.name}"
},
success: gfun, success: gfun,
dataType: "json", dataType: "json",
error: function(xhr, status, error) { error: function(xhr, status, error) {
if (!skiperr){ if (!skiperr){
alert('Error: cannot connect to server ' + status + " error: " + error); console.log('Error: cannot connect to server ' + status + " error: " + error);
} }
} }
}); });
} }
var do_pp_get = function(cmd, gfun){
return _do_pp(cmd, 'GET', gfun);
}
var do_pp_post = function(cmd, gfun){
return _do_pp(cmd, 'POST', gfun);
}
var check_access = function(){ var check_access = function(){
do_pp_get('status', function(data){ do_pp_get('status', function(data){
console.log(data); console.log(data);
...@@ -123,10 +128,10 @@ procrel = (function(){ ...@@ -123,10 +128,10 @@ procrel = (function(){
var make_request = function(){ var make_request = function(){
check_count = 0; check_count = 0;
do_pp_get('request', function(result, status, xhr){ do_pp_post('request', function(result, status, xhr){
setstat(result.status); setstat(result.status);
periodic_check(); periodic_check();
}); });
} }
el.click(make_request); el.click(make_request);
...@@ -135,6 +140,7 @@ procrel = (function(){ ...@@ -135,6 +140,7 @@ procrel = (function(){
"check": check_access, "check": check_access,
"make": make_request, "make": make_request,
"do_pp_get": do_pp_get, "do_pp_get": do_pp_get,
"do_pp_post": do_pp_post,
"set_skiperr": set_skiperr "set_skiperr": set_skiperr
}; };
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment